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(S) Signaling arrangements in a cellular mobile telecommunications switching system. 



@ Til is invention relates to apparatus and 
methods for providing cellular mobile telecom- 
munication service in accordance with the re- 
quirements of the Global Systems for Mobile 
Communications (GSM) standard. A modular 
switching system is provided which performs 
the functions of the mobile switching center 
(210) plus those of a home location register 
(212), authentication center (216), visitor loca- 
tion register (214), and equipment Identity regis- 
ter (218). The latter functions are 
advantageously spread among the modules of 
the switching system, thus avoiding the getting 
started cost of expensive dedicated data bases. 
A wireless global switching module advan- 
tageously switches mobile communications 
control messages among the modules of the 
system and between the modules and the base 
station systems (204), and terminates signaling 
links between the mobile switching center and 
the base station systems. 
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Technical Field 

This invention relates to signaling arrangements for wireless telecommunications systems. 
5 Problem 

Mobile radio systems for permitting customers calling from mobile stations such as vehicular stations 
mounted in automobiles, portable stations of medium weight which may be transported readily, or small light- 
weight, hand held personal communication stations are becoming increasingly prevalent. (For the sake of sim- 
10 plicity, all such units are referred to hereinafter as mobile stations.) Such systems use the principles of cellular 
technology to allow the same frequencies of a common allocated radio bandwidth to be reused in separated 
local areas or cells of a broader region. Each cell is served by a base transceiver station comprising a group 
of local transceivers connected to a common antenna. The base station systems, each comprising a controller 
and one or more transceiver stations are interconnected via a switching system, called a mobile switching cen- 
ts ter, which is also connected to the public switched telephone network. Such cellular systems are now entering 
a second generation characterized by digital radio communications and a different set of standards such as 
the European Global Systems for Mobile Communications (GSM) standard, promulgated by the Special Mobile 
Group (SMG). 



Such mobile telecommunications systems have many units which need to communicate signaling infor- 



20 mation for controlling establishment of connections. Such signaling information is communicated over channels 
separate from the channels carrying actual voice or data communications between the customers being con- 
nected. Among the units that need to communicate are the mobile station (MS), the Base Station System (BSS) 
connected by radio to the mobile station, the mobile switching center (MSG) and the various data bases which 
are consulted for the establishment of mobile calls including the home location register HLR), the visitor loca- 

25 tion register (VLR) and the equipment identity register (EIR). 

Signaling arrangements for land based telephone systems include the use of a global switch module, de- 
scribed hereinafter, which serves as an interface between a local switching system and common channel sig- 
naling data links, and the arrangements described in Warty et al.: U.S. Patent 4,827,499 used for a predecessor 
mobile switching system. 

30 A problem of the prior art is that there is no economic, efficient way of establishing all of these signaling 

communication paths. The problem is further compounded when a distributed control system such as the 
5ESS® Switch described in The AT&T Technical Journal , vol. 64, no. 6, part 2, July/August 1985, pages 1305- 
1564, which is modular and which has separate call control processors for controlling each of the switching 
modules of the system is used as the MSG. 



The above problem is solved and an advance is made over the prior art in accordance with the principles 
of applicants' invention wherein a special signal switching means, a wireless global switching module (WGSM) 

40 is added to the system and is used as a data switch for essentially all signaling communications for mobile 
calls; these virtual circuit connections include connections to BSSs, to wireless switch modules (WSMs) (and 
their control processors), and to WSMs containing HLR or VLR data. All WSMs are connected to the WGSM 
by message delivery paths, terminated on each end by a protocol handler. Each BSS is connected to the 
WGSM via a signaling data link to a WSM, through the WSM via a digital facility interface and a time slot in- 

45 terchange unit, through the communication module (rime multiplexed switch), to a protocol handler of the 
WGSM. Temporary virtual circuits (Signaling Connection Control Part (SCCP) connections) are then set up 
between the WGSM and a BSS. All of the associated data connections for a call or other wireless service are 
identified by a common reference number for handling by a common protocol handler. A subfield of the refer- 
ence number identifies that protocol handler. These connections are then used to serve the WSMs and the 

50 MS. The WGSM logically terminates the signaling links between a BSS and the MSG to process the CCITT 
Signaling System 7 (SS7) protocols to and from the BSS. Advantageously, the WGSM acts as a data switch 
to transmit the CCITT messages to a protocol handler at the correct destination. 

In one specific implementation of the invention, the mobile switching center is a 5ESS® switch which com- 
prises a plurality of switching modules and a communications module for interconnecting the switching mod- 

55 uies. In this distributed architecture, each BSS is physically connected via signaling data links to at least two 
WSMs through at least two protocol handlers in the WGSM. Advantageously, such an arrangement allows a 
high degree of reliability. If, for example, one switching module or protocol handlerof the WGSM is out of service 
and the BSS is physically connected to several switching modules, then the signaling path from the BSS to 
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the WGSM can go over a physical channel to the other switching module connected to that BSS, and the con- 
nection to that other nnodule can be established through the comnnunication module of the 5ESS switch. 

The WGSM protocol handlers terminate signaling data links and distribute Base Station System Application 
Part (BSSAP) messages to the appropriate wireless switching module (WSM) of the mobile switching center. 
5 In return, the WSM may then transmit a message via the WGSM to a BSS or a MS where appropriate. In ac- 
cordance with one aspect of this invention, the Temporary Mobile Subscriber Identification (TMSI) is encoded 
to include an indication of which WSM contains the VLR data for the mobile station identified by that TMSI. 
The protocol handlers of the WGSM are also equipped to translate from the International Mobile Subscriber 
Identification to an indication of the module that contains data for the mobile station. 

10 

Brief Description of the Drawing 

FIG. 1 is a block diagram of the basic GSM model of a mobile switching center and its direct and indirect 
interfaces; 

15 FIG. 2 illustrates how this model is implemented in one exemplary embodiment; 

FIG. 3 illustrates the various signaling protocols used for signaling messages in mobile telecommunications 
systems; 

FIG, 4 illustrates the interconnections among mobile stations, land-based stations, base station systems, 
the public switched telephone network, and a mobile switching center, 
20 FIG. 5 illustrates the physical paths used for signaling and for voice or data Interconnections; 

FIGS. 6-8 illustrates the signaling interconnections including the role of the wireless global switch module 
(WGSM); 

FIGS. 9-13 illustrate the process of establishing a mobile to land call; 
FIG. 14 illustrates the release of a mobile call; 
25 FIGS. 15-18 illustrate the handover process; 

FIGS. 19-21 illustrate the handover process in terms of message exchanges; 
FIGS. 22-28 illustrate an incoming call to a mobile station. 

Detailed Description 

30 

FIG. 1 is a block diagram of the reference model for the European standard, the Global Systems for Mobile 
Communications (GSM). Each of the lines interconnecting blocks of the diagram that is identified with a letter, 
has a GSM standard specified interface. Briefly, the purpose of each of the blocks is the following: 

The Home Location Register (HLR) 102 contains data for a mobile customer. The data stored in the HLR 
35 is the permanent data that is independent of the customer's present location, plus temporary data such as 
the addresses of Service Centers which have stored short messages for a mobile station. (An example of such 
a message is a request to turn on a "voice message waiting" lamp indicating that a voice message has been 
stored for the mobile station user in a voice messaging system.) These addresses are erased after the short 
messages have been delivered. The HLR also indicates the Signaling System 7 point code used to find a mod- 
40 ule that contains the Visitor Location Register (VLR) 104 currently associated with the mobile station. 

The VLR contains current data for each mobile customer, including that customer's mobile station's present 
or most recently known location area, the station's on/off status, and security parameters. A remote VLR 106 
connected via a G interface is also shown. 

The authentication center (AUC) 108 provides authentication and encryption parameters to ensure that 
45 a mobile customer cannot falsely assume the identity of another mobile customer and provides data for en- 
cryption of the voice or data, and control signals transmitted via the air between the mobile station and a serv- 
ing BSS. The GSM reference model prescribes digital communication over the radio channels. Since it is pos- 
sible to listen to these radio channels, encryption becomes desirable for the link between the mobile station 
and the radio transceiver at a base station serving that mobile station. 
50 The Mobile Switching Center (MSG) 110 is for switching calls involving at least one mobile station. 

The BSS 112 comprises a base station controller (BSC) 114 and one or more base transceiver stations 
(BTS) 116 for communicating with mobile stations (MS) 120. The BSS and the MS communicate via radio con- 
nections. The BSS is also connected via trunks to carry the voice or data, and control messages between the 
mobile stations and the MSC. The BSC and BTS may be in different physical locations (for example, the BSC 
55 may be co-located with the MSC) in which case a trunk is required to interconnect the two. S^ represents the 
human interface to the MS. 

The equipment identity register (EIR) 124 retains a record of ranges of certified equipment identifications 
and ranges of or individual equipment identifications which are under observation or barred from service. The 
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equipment identification information is received from a mobile station at the mobile switching center. The EIR 
is used to verify that the equipment number of the IVIS is certified for use in the public network and is not on 
the observation or service barred list. 

Mobile switching centers are connected to other mobile switching centers, directly or via the public switch- 
ed telephone network 128, to the public switched telephone network for accessing land-based customer sta- 
tions and to integrated services digital network (ISDN) networks 126 for communicating according to the pro- 
tocols of ISDN. 

While the standards specify the functions of each of these blocks, they do not specify how each of these 
blocks is to be implemented. It is the purpose of this description to illustrate one arrangement for implementing 
these standards in an advantageous manner. 

FIG. 2 illustrates the system architecture for implementing a GSM mobile communication system. The mo- 
bile station (MS) 202 communicates with the BSS 204 over radio links 206 using optionally encrypted digital 
radio communications for the voice or data, and control connections between the MS and the BSS. The MS 
communicates via the BSS with the mobile switching center (MSG) 210. The BSS and MS exchange control 
messages with the mobile switch center using the CCITT signaling system 7 protocol (SS7). 

In this arrangement the HLR 212, VLR 214, AUG 216 and EIR 21 8 records are all integrated into the MSG 
210. When an MSG needs the HLR, VLR, AUG or EIR records from another network entity, it obtains them 
via SS7 messages transmitted to the entity that currently holds this information. 

The MSG communicates with a billing center 220 for accumulating billing records using the GCITT X.25 
protocol and also communicates with an Operations and Maintenance Genter(OMG) 222 using the GCITT X.25 
protocols. The OMG communicates with BSSs via the MSG using SS7. In one implementation, the OMG com- 
municates with a customer administration system 224 using a standard RS-232 link. In addition, maintenance 
messages between the BSS and OMG are transmitted using SS7 with the Base Station System Operation 
Maintenance and Administration Part (BSSOMAP) protocol. 

Signaling System 7 is described in detail in A. R. Modarressi et al.: "Signaling System No. 7: A Tutorial," 
IEEE Gommunications Magazine , July 1990, pages 19-35. The GSM standard protocols are specified in the 
GSM standard specifications, which at this time is In version 3.8. 

FIG. 3 is a diagram of the protocols used in different types of communications, according to the GSM stan- 
dard. Most of these protocols are those of SS7. Of the seven layers of the protocol according to the Interna- 
tional Standards Organization (ISO) layeted message protocol, only the top (application layer) and the bottom 
three layers (Network, Data and Physical) are shown on the left Four types of messages are shown: The first 
double column includes those from switching system to switching system for land-based trunks including either 
a telephone user part (TUP) or an ISDN user part (ISUP) (both SS7 standards) for the application layer. The 
second column is for messages among MSGs, VLR, HLR and EIR which messages use the SS7 standard 
Transaction Gapabilities (TG), Transaction Gapabilities Application Part (TGAP) and Mobile Application Part 
(MAP) sublayers of the application layer (MAP is enhanced with GSM standards). When these messages are 
strictly internal to the MSG, these protocols are simplified and messages transmitted directly or via protocol 
handlers between the responsible processors. The third column is for communications between the mobile 
switching center and a BSS. The final column is for communications between the mobile switching center and 
mobile station. 

The three bottom sublayers of the protocol (layer 1 , the physical layer, layer 2, the data layer, and sublayer 
3, the message transport part (MTP) sublayer, a sublayer of the network layer) are identical for all of these 
types of communications and are in accordance with the SS7 Message Transport Part (MTP) standards of 
the GGITT Q.701 - Q.707 standard. The Signaling Gonnection Gontrol Part (SGGP), a sublayer of the network 
layer, also a GGITT standard Q.711-Q.714, is connection oriented for the MSG/MS communications, is con- 
nectionless for the second column, and may be either for the MSG/BSS communications. SGGP is available 
for some ISUP applications. For the first column (switch to switch) the TUP and ISUP application layer com- 
municates directly with MTP 3 sublayer of the network layer. 

Gommunications between the MSG and either the BSS or the mobile station use a Radio Subsystem (Base 
Station System) Application Part (BSSAP) protocol. For communications between the mobile switching center 
and the BSS, layer 7 uses the protocols of the BSSAP including a Base Station System Management Appli- 
cation Part (BSSMAP). The communications between the mobile switching center (MSG) and the mobile sta- 
tion are performed in the protocols of BSSAP Including a Direct Transfer Application Part (DTAP). BSSAP, in- 
cluding BSSMAP and DTAP are GSM standards. 

FIG. 4 is a basic block diagram of a mobile switching center 400 (switch), as implemented using AT&Ts 
5ESS® Switch. The switch, described in detail In The AT&T Technical Journal , vol, 64, no. 6, part 2, July/August 
1985, pages 1305-1564, (Journal) includes an administrative module 402, a communication module 404, and 
a group of switching modules 408-412. The switching modules applicable in the GSM network are of four types; 
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a wireless switching module (WSM) 406 for communicating with BSSs, and also optionally communicating with 
the public switched telephone network (PSTN); switching modules (SM) 408 for communicating with the PSTN; 
a wireless global switch module (WGSM) 410 for serving the signaling communication needs for controlling 
calls involving mobile stations; and a PSTN Global Switch Module (PSTN GSM) 412 used if PSTN trunks are 

5 of ISUP or TUP types, i.e., use SS7 for signaling to the PSTN. The PSTN GSM processes ISUP or TUP pro- 
tocols and can optionally also be connected to PSTN trunks. 

The functions of the administrative module (AM), communications module (CM) and switching module 
(SM), In relation to the PSTN are essentially as described in the referenced Journal. The purpose of the WGSM, 
as described hereinafter, is to simplify the signaling communications between BSSs and the WSM serving 

10 calls for the BSS, and between the MS and the WSM. The PSTN GSM is for controlling common channel sig- 
naling between the MSG and the PSTN. The PSTN GSM is connected by message delivery paths to protocol 
handlers in the SMs. 

The signaling architecture of the mobile switching center Is significantly simplified by having signaling mes- 
sages go through a common set of data switches and protocol handlers in a wireless global switching module 

15 (WGSM). Physically, the wireless global switching module is connected via nailed up channels (message de- 
livery paths) switched through the time multiplexed switch of the communications module to each of the wire- 
less switching modules. These are 64 kilobit channels, the same as the PCM voice channels of the 5ESS switch 
communications module. Over another nailed up physical channel connecting the WGSM with a WSM mes- 
sages are sent for a BSS via virtual channels in that physical channel; other virtual channels of that physical 

20 channel carry messages that originate from or are destined for the mobile stations. 

The wireless switching modules (WSM) are combined packet and circuit switching modules each compris- 
ing a switching module processor (SMP), a packet switching unit (PSU) comprising a plurality of protocol han- 
dlers Interconnected by a local area network, and circuit switching arrangements including a digital facility in- 
terface (DMI) and a time slot interchange unit (TSIU). The TSIU is connected to a time multiplexed switch of 

25 the communications module for interconnecting the switching modules. Switching modules comprising a pack- 
et switching unit are disclosed In M. W. Beckneret al.: U.S. Patent 4,592,048. 

The signaling paths between the BSS, WSM, and the wireless global switching module (WGSM) are as 
follows. Each base station is connected by digital carrier facilities to two or more of the wireless switch modules 
504 (FIG. 5). Many of these digital facilities include one or more signaling channels, the signaling channels 

30 from each BSS being connected to at least two WSMs. The signaling channel is connected via the digital in- 
terface of this wireless switch module 504 into the TSIU of the wireless switch module and is thereby connected 
through the communication module 506 and to a protocol handler (PH) in the wireless global switch module. 
The wireless global switch module protocol handlers are interconnected via a local area network in the packet 
switch unit of the WGSM. 

35 The portion of the signaling path between the WGSM and a destination wireless switch module is as fol- 

lows. The WGSM has at least one protocol handler with a port for transmitting messages to and receiving mes- 
sages from a specific wireless switch module. This port is connected to a message delivery path that passes 
via a nailed up connection through a time multiplexed switch of the communications module. Each such mes- 
sage delivery path Is a 64 kilobit data link and is connected to a port of a protocol handler at each end. In case 

40 of a failure of a protocol handler at either end, spare protocol handlers can be used to replace the failed protocol 
handlers. The protocol handler in the wireless switch module communicates on its local area network side via 
a packet interface with a switching module processor of the WSM. This switching module processor performs 
call processing and generates or processes, for example, the BSSAP portion of a message between a WSM 
and a BSS. The message delivery paths and the physical signaling data links interconnecting a BSS and a 

45 wireless switch module carry a plurality of virtual data paths, usually, temporary virtual data paths (SCCP con- 
nections) associated either with a mobile call or a mobile service such as a location update. 

These signaling arrangements have a number of advantages. By having at least two signaling data links 
between each base station and at least two wireless switch modules, redundancy is gained and operation can 
continue even if either of the signaling channels (including the protocol handlers at each end of a signaling 

50 channel) or a WSM falls. The use of a single wireless global switch module with inherent sparing of protocol 
handlers concentrates the translation Information required to select a destination wireless switch module when, 
forexample,VLR data for a particular customer, as identified by that customer's International Mobile Subscrib- 
er Identification (IMSI) is required. Failure of one or more of the protocol handlers in the WGSM can be over- 
come by replacing a failed protocol handler with a wording spare and by properly initializing that protocol han- 

55 dter to take over the functions of a failed protocol handler. Local reference numbers, discussed hereinafter are 
used to identify SCCP connections. As described hereinafter, because key information is stored in the local 
reference numbers, and because duplicate records are maintained on all stable SCCP connections through 
protocol handlers of the WGSM, none of these connections are lost even though they may have been served 
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by a failed protocol handler. 

The WGSM has at least one spare protocol handler per shelf of a PSU. In the event of a failure of any 
protocol handler, a spare takes its place. If no redundant data were available, then In the event of a simplex 
failure in a protocol handler the dynamic data regarding SCCP connections would be lost and consequently 

5 all BSSAP calls switched through that protocol handler would be lost. Redundancy of this data is added to the 
software architecture to ensure the integrity of this connection data. 

When a connection is set up between a mobile switching center and a BSS, a local connection identifier 
is associated with each distinct connection. In order to keep each instance of the connection coordinated be- 
tween the MSG and the BSS, this connection information is shared through the use of SCCP local reference 

10 numbers. According to the CCITT SS7 protocol, each end will send its local reference number and the far end's 
local reference number when first confirming the setup of a valid connection. Subsequent dialog requires the 
sending of the far end*s local reference number The value of this local reference number is not constricted by 
standards. When a connection is first initiated In the mobile switching center, the local reference number is 
encoded to include a connection identifier and the number of the protocol handler on which the connection 



The MTP layer provides for load sharing on a data link, changeover and changeback, with the possible 
result that incoming messages for a connection may arrive on a different physical link than messages being 
sent. When this occurs, the SCCP message arriving in a different protocol handler is routed to the proper pro- 
tocol handler by decoding the local reference number since that quantity contains the identification of the pro- 

20 tocol handler (PH) upon which the connection resides. 

Whenever a SCCP connection goes into an active (stable) state, this connection information is shared 
with the next ascending PH in the PSU community (wherein the first PH is the "next ascending" PH for the 
last PH). This "next ascending" PH is known as a "backup PH." When a PH fails, a spare PH is switched into 
its position and thereby connected to the sources and destinations of messages for that PH. The "next as- 

25 cending" PH transmits to the spare PH a list of reference numbers of stable connections from the failed PH; 
the "next ascending" PH will continue to control these connections as long as they are active. The spare PH 
assigns local reference numbers for new connections that have the same logical PH number as the connec- 
tions formerly served by the failed PH. When the spare PH receives a message for an active connection, it 
first checks to see whether the reference number is one of a connection controlled by the "next ascending" 

30 PH. If so, the spare PH transmits that message to the "next ascending" PH which has the information for proc- 
essing that message, and which therefore can maintain the virtual connection. In this way in the event that a 
PH fails, messages received on existing SCCP connections for the faijed PH are automatically routed to the 
"next ascending" or backup PH. When a PH fails, the backup PH will automatically restart timers associated 
with the SCCP connections from this backup information. In this way, stable connections will remain stable 

35 as will calls dependent on those connections. Every PH, that sets up SCCP connections, has a dedicated back- 
up PH. Since a spare PH then assumes the logical role and name of the failed PH and accepts new SCCP 
message connection requests for that PH, this will gradually reduce the temporary overload on the backup 
PH. When the failed PH is eventually restored to service, it then takes the role of a spare PH. 

While in this embodiment, the "next ascending" PH is used as a backup, any other predetermined backup 

40 arrangement, such as the "next ascending skipping 1 " (in a system with an even number of active PHs) could 
be used instead. The terms "predetermined adjacent" is used to describe any predetermined backup PH se- 
lection. 

As discussed above, when the spare PH assumes the role of the failed PH, the backup PH will report the 
present status of all its active connections to the spare PH. The spare PH will not reuse resources, such as 

45 connection identifier numbers, for active connections still running on the backup PH when serving up new 
SCCP connections. The backup PH will then continue to service all presently active connections until they 
are released, as well as servicing new SCCP connections for itself. 

When a mobile station is first powered up within a specified mobile network, the international mobile sub- 
scriber identification (IMS!) is used by the mobile station to identify itself. This IMSI is used to route a request 

50 for VLR data to the WSM that contains that data. Each protocol handler of the WGSM contains a table that 
stores the IMSI-WSM map, the table being created from data supplied by the WSMs. In order to allow HLR 
and, where possible, associated VLR records to be stored in any WSM, this look-up table has one entry per 
IMSI. During the location update or registration process, the SM that stores the VLR data will associate a Tem- 
porary Mobile Subscriber Identification (TMSI) with a mobile station. The TMSI. whose value, while at least in 

55 part random, is not otherwise constricted according to the GSM standard, is specially encoded with the identity 
of the WSM (i.e., a switching module having wireless software) that contains the VLR so that accessing the 
proper WSM for incoming messages when VLR data is required is simplified if the TMSI is available. Random- 
ness of the TMSI is maintained by randomizing three of its four octets. Except on initial mobile station power 
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up, as described above, the TMSI will normally be used for all BSSAP transactions. When a mobile station 
initiates a transaction (such as a call or location update), the SCCP connection data base that stores infor- 
mation about the transaction, also stores information to identify the WSM that contains VLR data as well as 
the WSM that contains the trunk connected to the BSS. This is used for the routing of all subsequent messages 

5 for this connection, which contain no TMSI. 

As an example of the operation of the signaling system, consider a data connection between a BSS and 
a mobile switching center. Assume that the connection is initiated In the BSS. An initial message would first 
be transported by MTP in the BSS from the BSS over a signaling data link logically interconnecting the BSS 
and a WGSM. The protocol handler, in the wireless global switch module, which terminates the signaling data 

10 link passes the message from MTP to a SCCP control program. This SCCP program strips off the MTP header 
and parses the message. Depending on the contents of the message, a connection is established or released, 
or the transfer of data is required. In this example, connection establishment is requested and a SCCP con- 
nection (i.e., a virtual circuit) is temporarily set up between the protocol handler in the WGSM end of the sig- 
naling data link and the protocol handler in the BSS. The SCCP control program Informs a base station system 

15 application part (BSSAP) (also referred to as a radio subsystem application part In FIG. 3) of the request for 
a connection establishment via a primitive interface. BSSAP then parses the BSSAP message and obtains 
the identity of the destination wireless switch module. In the case, for example, of a query requiring VLR data, 
this destination WSM is identified by the international mobile subscriber identity (IMS!) field contained in the 
BSSAP message. The BSSAP control process uses the IMSI to Index a look-up table to find the WSM where 

20 the VLR data base for this IMSI is to be found. The message is then sent within the WGSM from the protocol 
handler terminating the signaling data link to a protocol handler that terminates a message delivery path to 
the identified WSM. This protocol handler then sends the message to a protocol handler on the destination 
WSM which in turn forwards the message to the switching module processor of that WSM. A BSSAP control 
process in the destination WSM then further parses the message and passes it on to a call processing program 

25 for processing a mobile call or service. 

Another example of the signaling procedures carried out in this embodiment of the invention is the pro- 
cedure for sending a message from a wireless switch module to a BSS via an established connection. In the 
transmitting wireless switch module, a BSSAP process assembles a BSSAP layer of the message that is tag- 
ged with the local reference number Identifying the SCCP connection. This process then forwards the mes- 

30 sage to a protocol handler in the source wireless switch module, which then transmits the message over a 
nailed up message delivery path going through the communications module to a first protocol handler in the 
wireless global switch module. This first protocol handler examines the local reference number of the message 
and uses this to determine the second protocol handler that terminates the SCCP connection. (This local ref- 
erence number was previously derived during the process of establishing the SCCP connection.) This protocol 

35 handler then uses a SCCP process to encapsulate the message with a SCCP header and passes the message 
to a message transport part (MTP) process for adding the MTP headers. The message is then sent over the 
(logical) data link to the BSS. (The physical data link corresponding to this logical data link has been described 
earlier.) 

Advantageously, this type of arrangement permits essentially all of the SS7 protocol handling functions 
40 to be carried out in the packet switching unit of the WGSM (without involving the switching module processor 
of the WGSM) and allows the transmitting and receiving WSMs to process their messages independent of the 
destination. Effectively, the set of protocol handlers of the packet switch unit of the WGSM acts as the handler 
of all signaling protocols. (A maximally equipped WGSM contains 75 active and 5 spare protocol handlers.) 
The WGSM assembles and disassembles the Signaling System 7 headers to the application data of the mes- 
45 sages and switches the messages for transmission to the proper WSM which may either accept the messages 
(if the destination is the mobile switching center) or originates messages to the appropriate BSS (if the des- 
tination is either a BSS or a mobile station). 

In addition, the MSC communicates from the administrative module with an external service center 224, 
using the X.25 protocol for delivery of short messages, such as an indication of a voice message waiting. The 
50 MSC communicates with the public switched telephone network using a land-based signaling system such as 
SS7. 

The switching modules also communicate messages via the message switch of the communication module 
as is done in a land-based 5ESS switch. Call processing messages, such as the messages that are exchanged 
in order to set up a connection through the communications module between, for example, a switching module 
55 connected to the public switched telephone network portion of a land-to-mobile or mobile-to-land call and the 
wireless switching module that is connected via the BSS to the mobile station end of the call, are sent in this 
way. 

Whenever an MS is in the region served by its home MSC, i.e., the MSC that contains the HLR for that 
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MS, the base VLR is attached to the HLR in such a way that common data is stored only once for the two 
registers; the VLR and HLR are then stored in the same module. 

When the mobile station is either in the power-off state or in the power-on state but not in any active call 
state, only a base version of the VLR is maintained for that mobile station in the VLR WSM. When a call is 

5 originated by a mobile station or a call is received for that mobile station, a separate dynamic version of part 
of the VLR is stored and maintained in the WSM that controls the mobile calls. This copy of the VLR is linked 
to the terminal process in that WSM that controls the mobile station end of the call. If the mobile station moves 
and the call is handed over to a different switching module, then the dynamic copy of the VLR is transferred 
to the new WSM serving the mobile station for that call and is linked to a terminal process for serving that call 

10 in that WSM. Note that the data in the base VLR that is not relevant to the MS locations is changed only by 
administrative actions or such customer programming actions as the specification of a call forwarding number 
and are not copied into the dynamic VLR. When necessary, the system administrator modifies the HLR which 
in turn updates the base VLR; the administrator has "read only" access to the base VLR for trouble shooting 
purposes. 

15 The location of the mobile station is not updated in either the dynamic or the base VLR during a call, and 

is updated in the base VLR only as partof a location update procedure. Location update procedures are carried 
out when the mobile station is idle with power on, and moves from one location area to another. A location 
area is the area that is paged when a call terminating to an MS is received. 

All incoming calls first check the HLR. This is because the HLR is fixed and the location of the HLR record 
20 is tied to the called number (directory number) of a mobile station. The HLR has stored within it the information 
necessary to find the base VLR; this information includes an identification of the mobile switching center that 
contains the base VLR. For this detailed description, this MSG is the same as the MSG of the HLR, and the 
HLR and VLR are stored as one block so that if either is located the other is also located. All administrative 
changes of data associated with a mobile station are entered first into the HLR which then sends messages 
25 for entering the corresponding change in the base VLR. Gustomer initiated changes such as the prescription 
of a different call forwarding number are forwarded initially to the base VLR which does not initially make any 
change in its record but forwards the request to the HLR which makes the necessary change and generates 
a message for updating the base VLR. The HLR is accessible via the mobile station directory number or the 
International Mobile Subscriber Identification (IMSI). The VLR is accessible via the IMSI or the TMSI; the HLR 
30 can also access the VLR by a special ISDN address. ISDN addresses are maintained for VLRs, HLRs, MSCs, 
and EIRs according to the GSM specification. 

The VLR is attached to the HLR so that common data need only be stored once. This arrangement is sat- 
isfactory as long as the mobile station is in the region served by the MSG; consideration of the storage of the 
VLR when the mobile station leaves that region is beyond the scope of this description. 
35 The combined HLR and VLR is stored in the wireless switching modules of the MSG. Each switching mod- 

ule stores records for a range of mobile directory numbers and each module has a range translation to select 
a module based on the directory number. Since the HLRA/LR must also be accessible via the IMSI, a table is 
stored in each protocol handler of the WGSM to identify the module that has stored the VLR/HLR for each 
IMSI served by the MSG. No translation is required for access via the TMSI since that contains a subf ield for 
40 identifying the VLR/HLR modules. 

FIG. 5 is a block diagram illustrating the physical signaling paths between base stations and wireless 
switching modules. The base stations 502 are connected through permanent virtual circuits which physically 
pass through a WSM 504 serving the base station and through the communications module 506 to a protocol 
handler in the WGSM 508. The protocol handler receives messages in the SS7 protocol used to communicate 
45 with the base station and transmits the message to the correct WSM; the digital facility interface connected 
to the BSS transmits the messages to a protocol handler of the WGSM which is connected by a switchable 
physical nailed up data channel to the destination WSM, where it terminates on a protocol handler which is 
connected to the switching module processor of the WSM. Advantageously, the WGSM terminates a standard 
protocol and allows any WSM to control any calls from the base stations that have trunks to the WSM, since 
50 the processor of the switching module (SMP) for controlling the call need not be the SMP for controlling a spe- 
cific connection between a BSS trunk and a channel to a GM or to another output of the WSM. 

FIG. 6 shows the logical signaling system. The base station system 602 communicates with the WGSM 
604 which then delivers its message via the communications module 506 to the appropriate WSM 610. 

As shown in FIG. 7, the VLR data for a particular mobile switching center is spread out over the WSMs 

55 702 704 in that center. In the particular example, when WSM 702 needs VLR information from WSM 704, 

it requests the information via the call processing inter-module data links switched through the message switch 
of the communications modules of the 5ESS switch 

FIG. 8 illustrates the modules involved in a mobile-to-land call. The base station system 802 nearest the 
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mobile is connected by a voice path to a wireless switching module (WSM) 804 which is connectable through 
the communication module (CM) to another switching module for connection via the public switched telephone 
network (PSTN) 808 to the called customer. The PSTN global switching module (GSM) 810 is used for con- 
trolling SS7 signaling to the public switched telephone network. The WSM 812 that contains the base VLR 

5 data is connected via virtual data links to the WSM 804 controlling the mobile station leg of the call. The SM 
806 and WSM 804 are connected by a virtual data link in order to coordinate the activities of the terminal proc- 
ess handling the call in each of these modules. The WGSM 814 communicates all data to and from the BSS 
and transmits it as necessary to either the WSM 804 or the VLR-WSM 812. 

Consistent with the principles of operation of the 5ESS switch for land-based calls, the administrative mod- 

10 ule 508 (FIG. 5) is used for selecting outgoing PSTN trunks on mobile originated calls and for selecting time 
slots for voice paths between switching modules. In addition, the administrative module is used for selecting 
a trunk between the mobile switching center and a base station controller. The base station controller selects 
a path between the incoming trunk to the base station controller and the base transceiver station. As previously 
indicated, this path may be a land-based trunk. The trunks between the BBSs and the mobile switching center 

15 are one way outgoing from the mobile switching center This makes the finding of an idle trunk from the cen- 
tralized administrative module efficient and allows the trunks to be fully utilized: whether the call is originated 
by a mobile station or is terminated to a mobile station, the trunk will be hunted for and allocated by the ad- 
ministrative module which is a part of the mobile switching center. 

FIGS. 9-13 illustrate the messages required in processing a mobile-to-land call and shows the source and 

20 destination of each message. The call is initiated by a control channel request message 902 (FIG. 9) from the 
MS to the BSS to request the assignment of a dedicated control channel for further signaling from the MS. 
The BSS responds with a control channel assignment message 904 to allow the MS to access the proper con- 
trol channel. The MS then transmits a service request message 906 to the BSS which passes this service re- 
quest message 908 to the WGSM. The WGSM transmits a process access request message 910 to the WSM 

25 that contains the VLR information. The WGSM has the data for determining which WSM contains the VLR 
information for this mobile station. This data is used when the TMSI is not available. If the TMSI is available, 
it has the VLR-WSM ID encoded in it for easy identification of the VLR-WSM. The message from the WGSM 
to the VLR-WSM is for processing the service request and for creating the connection data in the VLR-WSM 
for the request. The VLR-WSM enters a tuple in the connection data block for the process that handles the 

30 request. The data includes the identification of the connection transaction using the connection. An authen- 
tication process, if needed, is initiated by the VLR-WSM, which transmits a message 1002 (FIG. 10) to the 
mobile station (the message is actually transmitted via the WGSM, the WSM connected to the BSS, and the 
BSS) to request authentication algorithm calculation. The mobile station responds to the VLR-WSM with a 
message 1004 containing the result of the authentication algorithm calculation. 

35 Meanwhile, the VLR-WSM transmits a message 1006 to the administrative module (AM) requesting the 

assignment of a BSS trunk for the call and the AM transmits a message 1008 to the WSM connected to that 
trunk for creating a wireless originating terminal process in that WSM for handling the call. The WSM then 
returns a message 1010 to the VLR-WSM for notifying the VLR-WSM which trunk WSM (i.e., WSM connected 
to the trunk to the BSS serving the call) and BSS trunk has been assigned to the call. As will be seen below, 

40 the VLR-WSM is required for controlling the ciphering information for the call. 

If ciphering is used, the VLR-WSM transfers (message 1102, FIG. 11) to the WSM for handling the call, a 
copy of the call processing related information, relating to the mobile station from the VLR record to the call 
controlling WSM. If ciphering is used, the VLR-WSM transfers the cipher command to the BSS via the WGSM 
(messages 1104 and 1106). The BSS transmits a cipher mode command (message 1108) to the mobile station. 

45 The mobile station then sets up the cipher mode and transmits back to the BSS, a cipher mode completed 
message 1110. The BSS sends a message to the VLR-WSM that the cipher process has been completed 1112. 
At this time, both the BSS and the mobile station are in a corresponding cipher mode. The details of the en- 
cipherment are specified in the GSM standard. 

The mobile station then sends a setup request message (1114 and 1116) via the WGSM to the call con- 
so trolling WSM (i.e., the WSM that contains the terminal process for the mobile station). The WGSM had previ- 
ously been informed of the identity of the WSM in message 1104. The WGSM checks to ensure that no failures 
have been encountered up to this time before call setup request. If any failures have occurred, the failures are 
reported to the WSM. The WSM then transmits a message 1118 to the mobile station indicating that the call 
is proceeding. 

55 Next, if the equipment validation function is needed, the VLR-WSM in cooperation with the call controlling 

WSM and the mobile station performs that function. (Equipment validation is optional in GSM according to 
the wishes of the telecommunications operator.) The VLR-WSM requests (message 1202) the mobile station 
to furnish its International Mobile Equipment Identification (IMEI). The mobile station responds with its IMEI 
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(message 1204) to the VLR-WSM which checks to insure that the mobile station is authorized to use the net- 
work. The VLR-WSM sends the result of its check (message 1206) to the call controlling WSM. Meanwhile 
the trunk WSM notifies the BSS of the identity of the previously assigned BSS trunk (message 1208). The 
WSM also requests that the BSS pick a radio channel for the voice (or data) communication with the mobile 

5 station. This radio channel will then be associated with the assigned BSS trunk for the length of the call or 
until the call is handed over to another BSS or terminated. The BSS assigns the radio channel and notifies 
the mobile station of the assignment (message 1210). The mobile station responds (message 1212) when it 
has received this assignment and has tuned its radio to that channel. The BSS then reports back to the WSM 
that the radio channel assignment process and the radio to trunk connection have been completed (message 

10 1214). The WSM requests (message 1216) the administrative module to hunt for a trunk to the public switched 
telephone network for completing the land part of the call and the administrative module assigns this trunk 
and requests the switching module connected to that trunk to create a terminal process for the call (message 
1218). The switching module then transmits a message 1220 to the WSM that the network connection is pro- 
ceeding and transmits a message 1 222 to the PSTN GSM which transmits message 1 224 to the public switched 

15 telephone network to set up the call. (This is a TUP or ISUP message depending on the type of trunk signaling 
used to access the next switching system of the PSTN.) 

The public switched telephone network then responds to the SM with a message 1 302 (FIG. 1 3) indicating 
that the called customer is being alerted and the SM transmits a message 1304 to the WSM which sends a 
message 1 306 to the mobile station to connect alerting tone. (This is supplied locally within the mobile station.) 

20 Sometime later, the public switched telephone network sends message 1308 to the SM that the called 

customer has answered. The SM sends a message 1310 to the call control WSM to indicate that an end-to- 
end talking path has been established. The call control WSM so informs the mobile station (message 1312). 
The mobile station responds with an acknowledgment (message 1314) and the call is now active. 

Next, the disconnect process will be discussed (FIG. 14). It will be assumed that the mobile disconnects 

25 first. The mobile sends a disconnect message 1402 to the WSM whose terminal process is controlling the mo- 
bile end of the call and the WSM transmits a release message 1 404 to the mobile and a network release request 
1405 to the SM connected to the public switched telephone network. The mobile then transmits a release com- 
plete message 1406 to the WSM. The SM releases the call and transmits a network release message 1410 
to the public switched telephone network. The SM also transmits a message 1412 to the administrative module 

30 to release the trunk to the PSTN and the WSM sends messages 1414 to administrative module for releasing 
the BSS trunk and 1416 for making a billing record of the call if necessary. (Several billing records are sent 
in one message so that not every call generates a billing message from an SM to the AM.) The WSM also sends 
a release message 1418 to the VLR-WSM to update the status of the mobile station of the call. The VLR-WSM 
sends a clear command 1420 to the WGSM for clearing the connection information for messages if the call 

35 is the last transaction for the mobile station. (If other transactions, such as the delivery of a message waiting 
signal message, are required, the connection is kept up; the VLR remains involved in call control, but not the 
WSM attached to the BSS for controlling the call.) The WGSM sends a clear command to the BSS to release 
the radio channel and receives an acknowledgment 1424 from the BSS that the radio channel has been re- 
leased. The BSS sends a clear command 1426 to the mobile station to release the transmitting channel. The 

40 WGSM then sends a clear complete message 1428 to the VLR-WSM to confirm that the mobile station is now 
released. 

The handover procedure will now be described. Since a mobile station may travel during the course of a 
call, it could easily get outside the effective range of the base transceiver stations of one BSS and into the 
effective range of another. Under these circumstances, it is important that the mobile station be retuned to a 

45 frequency of a transceiver of the second BSS and that the call be continued via that transceiver. The process 
will first be described in terms of the connections, then in terms of the message exchanges. 

FIGS. 15-18 illustrate the process of a handover to a base transceiver station in another BSS served by 
the same MSG. The request is originally made from the BSS 1502 serving the call in response to a message 
from the mobile station 1504 reporting the signal strengths of the serving base transceiver station and nearby 

50 candidate base transceiver stations. At this time the call is served from BSS 1 502 and wireless switching mod- 
ule 1506. The wireless switch module 1506 selects a new base transceiver station which is, in this example, 
on a new BSS 1 51 0. The administrative module selects a trunk 1 51 2 (FIG. 1 6) between wireless switching mod- 
ule 1512 and BSS 1510. The administrative module also selects a network time slot 1532 between the switch- 
ing module 1530 (the pivot module) connected to the land-based station via the public switched telephone net- 

55 work 1540 and the wireless switching module 1520. BSS 1502 then sends a message to the mobile station 
to retune to the transceiver system of BSS 1 510. At the completion of retune (FIG. 17), the connection through 
the time slot interchange in the pivot module is switched to the connection 1532 to wireless switch module 
1520. At this point, the land-based station is connected through the public switched telephone network 1540, 
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through pivot switch module 1530, and through WSM 1520 and BSS 1510 to the mobile station 1504. Finally, 
the old resources, namely the connection 1542 between the pivot module 1530 and WSM 1506 as well as the 
connection between WSM 1506 and BSS 1502 are released as are the radio resources for the call in BSS 
1502 (FIG. 18). 

5 The handover process will now be described (FIGS. 19-21) in terms of the appropriate message exchang- 

es. According to the standards discussed previously, a mobile station performs the task of measuring the 
strength of signals received from different BSSs in its vicinity. The mobile station periodically sends the meas- 
urements message 1902 (FIG. 19) to the base station currently serving that station. If the BSS detects that 
the signal from the BSS currently serving that mobile station Is below the threshold of signal strength required 

10 for reliable communications, the BSS sends a message 1904 to the WGSM of the mobile switching center in- 
cluding an ordered set of candidate base transceiver stations for handling the call further. The WGSM delivers 
the message 1 904 to the WSM currently handling the call (the old WSM), indicating that a handover is required 
and passing the list of candidate base transceiver stations. The old WSM after consulting the terminal process 
for the mobile station to determine that handover may proceed, passes this information via message 1906 to 

15 the administrative module for the allocation of a trunk to the first candidate BSS. The administrative module 
transmits a message 1908 to the WSM connected to the selected trunk of the BSS (the new WSM) and the 
new WSM transmits a message 1910 to the switching module connected to the land path (the pivot SM) to 
set up a second time slot path for use with the new connection from the public switched telephone network 
to the new WSM, and to inform the pivot SM of the new WSM and new terminal process identity. The new 

20 WSM sends a message 1912 to the old WSM Indicating that the new path setup is complete and the old WSM 
transfers the copy (message 1914) of the VLR information which it has stored associated with the terminal 
process for this call to the new WSM. The new WSM then sends a handover request message 1916 to the 
new BSS for assigning a channel in the new BSS, and the new BSS returns an acknowledgment 1918. The 
handover request acknowledgment includes the frequency and channel which the new BSS will use to com- 

25 municate with the mobile station. 

The new WSM sends to the old WSM a handover request acknowledgment 2002 (FIG. 20) which includes 
the identification of the new frequency and channel to which the mobile station is to be tuned. The old WSM 
transfers that call's specific data to the new WSM via message 2004 and defers processing of all messages 
to and from the MS that are being sent to the old WSM. Such messages will subsequently be forwarded to 

30 the new WSM. The new WSM returns a message 2006 indicating that the call's specific data transfer has been 
completed, and the old WSM transmits message 2008 to the VLR-WSM, indicating that the actual channel 
switching is about to start and requesting the VLR-WSM to defer the processing of new input signals. (Exam- 
ples of new input signals whose processing is deferred during handover are short message delivery requests, 
e.g. a request to deliver a "turn on voice message waiting lamp" short message, or new calls to the mobile 

35 station.) The old WSM then transmits a handover command 2010 to the old BSS, which forwards that handover 
command 2012 to the mobile station. In response to this handover command, the mobile station tunes to the 
new assigned frequency and channel for communicating with the new BSS. The mobile station then transmits 
a handover access message 2014 to the new BSS which transmits a message ("use physical channel" mes- 
sage 2016) requesting the mobile station to establish frame synchronization with the base station physical 

40 channel. The mobile station transmits a handover detect message 2018, Indicating that a physical layer con- 
nection has been established to the new BSS, and that the mobile station has retuned. The new BSS transmits 
a message 2020 to the new WSM that the handover has been detected, which, in response to that message, 
requests the pivot SM to switch to the new path (message 2022). The pivot SM switches to the new path and 
transmits an acknowledge message 2024 to the new WSM. 

45 After the layer 3 protocol is established, the mobile station sends a handover completion in message 2100 

(FIG. 21) to the new BSS which forwards the message 2102 to the new WSM. The new WSM then transmits 
to the old WSM a message 2102 (FIG. 21) that the handover has been completed and the old WSM transmits 
a message 2104 to the VLR-WSM that the handover has been completed; this message includes the identity 
of the new WSM. The old WSM transmits to the new WSM any queued messages 21 06 for this mobile station 

50 and the new WSM acknowledges the end of this message transfer (message 2108). The old WSM transmits 
a message 2110 to inform the pivot SM to release the old path. The old WSM also transmits a message 2112 
to the administrative module to release the old time slot In the meantime, the VLR-WSM, in response to the 
receipt of the handover end message 2104, transmits message 2114 to the old BSS to release the old radio 
channel, and the old BSS releases this channel and transmits an acknowledgment 2116 to the VLR-WSM. 

55 In the transitional stages, the new WSM is connected to the pivot SM but the path is not continued through 

the time slot interchanger of that SM for connection to the far party. This connection Is made after the mobile 
station has tuned to the radio frequency of the new BSS, and is made at the same time as the old time-slot 
interchange connection for connecting the current WSM to the public switched telephone network, is dropped. 
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Thus, only one connection is made through the SM connected to the far party and that connection is made 
through the time-slot interchange of that switching module. This permits a very rapid transition from one con- 
nection to another, since all other connections are made before the time-slot interchange connection is switch- 
ed. 

As long as a mobile switching center continues to serve a particular mobile station, the VLR for that mobile 
station is maintained in that mobile switching center and is retained in the same switching module of that mobile 
switching center even as the mobile moves to different areas served by that switching center. (The procedures 
for handing over a mobile station from one mobile switching center to another are beyond the scope of this 
detailed Description.) Since the switching module which contains the call data for serving a call for a particular 
mobile station, retains the bulk of the information from the VLR, and further retains the identity of the switching 
module that contains the base copy of the VLR, there is no need to move that base copy even when a mobile 
moves and is subsequently served by a different wireless switching module. 

A land-to-mobile call will now be described. An incoming call message 2202 (FIG. 22) is received from the 
public switched telephone network at the mobile switching center. (Note that the land-to-mobile call could also 
originate in the mobile switching center.) For the case of SS7 signaling on the incoming side, the mobile switch- 
ing center sends an address complete message 2204 to the public switched telephone network. The MSC 
which received the incoming call is the MSC that, on the basis of the telephone number, is the "home" for this 
mobile station. (The procedure for handling calls with base HLR information in another MSC is beyond the 
scope of this Detailed Description.) This MSC contains the base HLR information for the mobile unit 

The MSC consults the HLR for that mobile unit in the appropriate wireless switching module (action 2206), 
and obtains information as to which MSC is currently serving the mobile unit (action 2208). If the mobile unit 
is currently roaming and outside the range of the home MSC, the MSC reroutes the call to the MSC that serves 
the mobile unit In this example, the mobile station is controlled by the home MSC, If the mobile station has 
requested that calls be forwarded to another number, this will also be reported to the MSC for further proc- 
essing, either by the MSC if the call forwarding number is served by the home MSC, or for further processing 
by another MSC or the public switched telephone network, if the call forwarded number is not served by the 
home MSC. 

In this case, assume that the mobile station has not requested call forwarding and is being served by the 
home MSC, The MSC determines the WSM which contains the VLR of the mobile station, which VLR is inte- 
grated in the MSC for this embodiment The MSC queries that VLR (action 2210). The VLR detenmines the 
most recent location area of the mobile station, in order to have the mobile station paged by the BSSs in the 
most recent location area. The VLR responds with the identity of the location area for performing the page 
(action 2212). 

The MSC then sends a message 2302 (FIG. 23) to the BSSs serving the location area requesting the page. 
The BSSs send out paging signals (action 2304) and the mobile station responds to this request (action 2306) 
via one of the BSS, with a request to assign a control channel to this mobile station. That BSS transits to the 
mobile station a channel assignment 2308 for the dedicated control channel to be used. The mobile station 
tunes to that control channel and delivers its page response 2310 over that control channel. 

Under the principles of the GSM standard for mobile communications, a mobile unit is tuned to a single 
paging channel. If the mobile unit is turned on, it tunes to the paging channel of the base transceiver station 
with the strongest signal. This is done by taking signal strength measurements of the broadcast channels of 
several nearby base transceiver stations and selecting the system with the strongest signal. The mobile station 
then tunes to the common control channel, paging subchannel of that system. If a mobile unit has moved across 
location area boundaries while the mobile station is powered on but not in the connected state, then the mobile 
station will send a location update message to the MSC which is used to update the VLR for that mobile station. 
The mobile station recognizes this transition because its internal record of a location area differs from the lo- 
cation area signal received from the base transceiver station via the broadcast control channel. 

When a mobile is originally paged, it is paged by all the transceiver stations in the location area where the 
MS has last registered. This paging message is transmitted from the protocol handlers of the wireless global 
switching module to all the appropriate base station controllers. Within the WGSM, a paging request message 
received from a switching module contains the location area identifier (LAI). This is translated to derive a series 
of point codes for the BSSs that contain Base Transceiver Stations which must broadcast the page. The PH 
that received the paging request message from the switching module broadcasts a message to the WGSM 
protocol handlers that also includes the identity of the mobile (the IMSI or TMSI as discussed hereinafter with 
respect to the authentication procedure), the point codes and a single logical route, effectively appended to 
each point code. The logical route is a four bit quantity used to spread the signaling traffic over the different 
signaling links to the BSSs. Each protocol handler examines the point codes and the logical route to see if It 
is involved (i.e.. serves a signaling link that is used) in transmitting paging request messages. Each involved 
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protocol handler transmits a paging request message to each of these BSS controllers for which that protocol 
handler is the designated source of paging messages for the point code and logical route; this paging request 
message includes a list of the BTSs in the LAI so that a BSS that includes portions of two or more LAIs can 
transmit a paging request only to the base transceiver stations serving that LAI. In an alternative version, not 

5 covered by the present GSM specification, the LAI is sent and the BSS translates to find the appropriate base 
transceiver station for paging. 

An alternate approach is to make a translation within the protocol handler that receives the paging request 
message from the switching module to determine which protocol handlers of the WGSM should receive a mul- 
ticast paging message that includes the point codes of the BSSs and the logical route for those BSSs involved 

10 in the paging, plus a list of base transceiver stations. Each of the determined recipients of this multicast mes- 
sage then translates the point codes and logical route to see if it is to transmit a paging message; if so it trans- 
mits the appropriate paging message. In this approach, the initial translation to determine which protocol han- 
dlers may be involved in the process of transmitting paging request messages to base station controllers is 
performed in the single protocol handler that initially receives the paging request message. A disadvantage 

15 of this approach is that each of the protocol handlers that makes the initial translation needs a table for storing 
the translation information. The simpler translation of the preferred embodiment is only from the LAI to point 
codes, a relatively static translation. The updating of protocol handlers to respond to trouble conditions only 
affects the tables of protocol handlers actually transmitting data to the BSSs. 

The page response 231 0 received by one of the BSSs is returned (message 231 2) to the mobile switching 

20 center, specifically, the WGSM. The WGSM then transmits a message 2314 to the wireless switching module 
which contains the VLR information for this mobile station to initiate the authentication process if necessary. 
Previously, the VLR has received from the authentication via the HLR five sets of data used for authenticating 
the identity of the mobile station and for use as an encryption key. If the VLR has only one set left, then it 
obtains an additional set via the HLR from the authentication center, using messages 2402, 2404, 2406 and 

25 2408 (FIG. 24). The VLR-WSM communicates to the mobile station an authentication request 2410 for it to 
perform algorithm calculation. The mobile station then communicates the result (message 2412) of the cal- 
culation to the VLR-WSM which compares the result with the authentication data it stores. 

The VLR then transmits an encipher command (message 2502, FIG. 25), if necessary, to the BSS which 
transmits, over the radio channel, a cipher mode command 2504 requesting the mobile station to enter the 

30 cipher mode. The mobile station responds with a cipher mode complete message 2506 to the BSS and the 
BSS reports to the switching module containing the VLR that the encipher process has been completed (mes- 
sage 2508). The original encipher command sent from the VLR to the BSS includes the key for use in enci- 
phering the signals transmitted between the mobile station and. the BSS. The mobile station had previously 
received information for deriving the key during the authentication process. 

35 If the telecommunications operator has specified that an equipment identity check is required, the mobile 

switching center then requests (message 2602, FIG. 26) from the mobile station its international mobile equip- 
ment identification (IMEI). The mobile station responds with that information (message 2604) and this infor- 
mation is checked (action 2606) in the equipment identification register (EIR) data base also stored in the MSG 
for that mobile. The check result is returned (action 2608) from the EIR. The equipment validation is performed 

40 to insure that the mobile unit is authorized to make calls. Calls are only completed if both the VLR and the 
EIR data indicate that the mobile is authorized to make and/or receive calls. 

Thereafter, the mobile switching center sets up a call connection to the mobile station. It transmits a mes- 
sage 2702 (FIG. 27) including a transaction identification for all messages generated by the mobile station, 
respecting this call. The mobile station responds with a call confirm message 2704. The mobile switching cen- 

45 ter then requests (message 2706) the base station to assign a traffic (i.e., voice or customer data) channel to 
this call. The BSS selects the radio frequency and channel and informs the mobile station (message 2708) of 
the same so that the mobile station can tune to this frequency and channel. The mobile station does so, reports 
(message 2710) that the channel assignment has been completed, which permits the BSS to report (message 
2712) to the mobile switching center that the traffic channel has been assigned. 

50 The mobile station responds to the previously received traffic channel assignment request by locally gen- 

erating an alerting signal to the subscriber. An "alert" message 2802 (FIG. 28) is sent from the mobile station 
to the MSG to inform the MSG that mobile station user is being alerted. The mobile switching center transmits 
an audible tone to the caller (action 2804). When the called customer at the mobile station goes off hook, i.e., 
answers the call, the mobile station sends a connection indication 2806 to the mobile switching center, which 

55 forwards that connection indication to the far party (action 2808) and transmits a connection acknowledge 
message to the mobile station 2810. 

In order to detect the fraudulent condition wherein two or more mobile stations have the same identity, a 
situation which should not occur and will occur only as a result of an attempt to fraudulently cause telecom- 
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munications charges to be incurred by the primary owner of that identification, the following steps are taken. 

Each of a class of state transitions is examined to see if the particular state transition is likely, in view of 
prior state of the mobile station. Whenever a mobile station changes state to one of the specified states, the 
previous one of the specified states for that mobile station is examined and If the transition is unlikely, a record 
is made for the mobile telecommunications network administration. These records are an indication of possible 
fraud. The state transitions to which are examined are the following: attached mobile station, detached mobile 
station, page response, location update, service request, and cancel location (a message from an HLR to a 
VLR to indicate that the mobile has moved outside the area served by the MSG, and therefore, the VLR). Un- 
likely events include the reception of an attach, when the mobile station is already attached, a detach when 
the mobile station is already detached, the receipt of multiple page responses for a single page request of one 
mobile, the receiptof a location update while another update procedure or connection procedure is In progress; 
the receipt of a service request when a mobile station is detached, in a location update procedure, or during 
an attach or detach procedure; or a change location message received when a call is in progress. 

Whenever a state change Is one that is unlikely to occur, a peg count is made of the state change. The 
frequency of the unusual occurences is displayed at a mobile switching control center or the Operation and 
Maintenance Center (OMC) so that a fraudulent use of an Identification can be detected- If the count exceeds 
a threshold, a special message is displayed or printed. 

The authentication process will now be described. The authentication process is initiated as a result of a 
service request by the mobile station or following a successful page of a mobile station, but is performed pri- 
marily under the control of the VLR. According to the wishes of the telecommunications operator, this authen- 
tication process may be performed every time a mobile station originates or a call is terminated to a mobile 
station. In addition, if the administration of the mobile switching system so desires, the authentication may 
take place whenever a location is updated for a mobile station that is in the power-on and Idle state. In addition, 
authentication may be performed when a mobile station registers by turning on its power. 

In the case of a request for service originated by a mobile station, the mobile station sends a message to 
the mobile switching center recording one of the requests discussed above. This message includes the IMSI 
(International Mobile Subscriber Identification) or a TMSI (Temporary Mobile Subscriber Identification). The 
choice of an IMSI or a TMSI as the primary identification mechanism is made by the system operator. The 
IMSI is a permanent number which Is assigned to every mobile station. The TMSI is assigned to a mobile station 
only after an authentication, and has only local significance. If this is the first authentication request or an 
authentication request which for some reason has failed and the system administration is using TMSI Identi- 
fication, then the backup IMSI is used for the purpose of authenticating the customer and assigning a new 
TMSI. The source of data used in authentication is an authentication center which in the present system is 
present in each mobile switching module of the MSG. This authentication center (AUG) does not store any data 
for each customer. The purpose of the authentication center is to generate random numbers which are used 
in conjunction with data in the HLR to generate authentication data. Initially, at the time when a customer sub- 
scribes for service, that customer is assigned an initial key K] . This key and a random number (RAND) supplied 
from the authentication center are acted upon by a first algorithm (A3) to generate a secondary number, an 
authentication number, referred to as Signed Response (SRES), a result of manipulating the random number 
using the A3 algorithm. In addition, the random number and Kj are acted upon by a second algorithm (A8) to 
generate an encryption key K^. Values of RAND, SRES and Kc are requested from HLR as needed by the VLR. 
In the preferred embodiment of the invention, five sets of RAND/SRES/Kc are generated and stored in the VLR 
each time a set of calculations Is made. 

When the authentication is needed, the MSG sends the random number to the MS. The MS retrieves K, 
from its initialization memory (which may be initialized at the time of the purchase of the mobile station) and 
calculates SRES and Kc from the random number and the K| using algorithms A3 and A8. It then stores the 
Kc In the main station and sends the SRES result to the mobile switching center. The mobile switching center 
verifies that the SRES value calculated by the mobile station matches the SRES value that has been stored 
in the VLR and was previously calculated. If the values match, this is a successful authentication and it is as- 
sumed that the two values of the key Kc as stored in the MSGA/LR and in the mobile station are identical. 

Note that with this arrangement, only the random number and SRES are transmitted over the air. The two 
idependently generated values of the encryption key, K^ , each generated from the random number and each 
generated using a value of Kj which is also never transmitted through the air, are not transmitted over the air. 
Since a separate algorithm is used for deriving Kc and SRES, the fact that SRES and RAND are transmitted 
over the air does not permit an interloper to discover Kc. 

In case authentication fails, if the system administration uses TMSI, then the IMSI is sent as a backup in 
case the TMSI for one reason or another became garbled. If another authentication using the IMSI is attempted 
and if that authentication is successful, a new TMSI is sent and actions which are based on a successful au- 
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thentication can be performed. If the system administration uses an IMSI and authentication fails or if authen- 
tication fails following an IMSI backup of a TMSI, then all service except emergency service is normally denied 
to that mobile station. 

Note that both the TMSI and the IMSI may be sent over the airwaves without compromising security since 
5 these values are useless if the Kj corresponding to that IMSI is not available to a potential interloper. 

Some administrations may choose not to perform an authentication on every call. If this is the case and 
an IMSI or TMSI has been intercepted, then a fraudulent call may be made, or a call may be fraudulently re- 
ceived. However, if this is a call on which authentication is made in an administration which chooses to au- 
thenticate some percentage of its calls, then authentication will fail and the failure of authentication is a warn- 
to ing to the administration that the particular IMSI or TMSI has been compromised. 

Only a single pair of algorithms is normally used at any one time. It is possible for a system administration 
to vary between pairs of such algorithms but there are no plans at this time to assign two different mobiles 
different algorithm pairs. 



It is to be understood that the above description is only of one preferred embodiment of the invention. Nu- 



ts merous other arrangements may be devised by one skilled in the art without departing from the scope of the 
invention. The invention is thus limited only as defined in the accompanying claims. 
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APPENDIX A 
ACRONYMS AND ABBREVIATIONS 



AUG 


Authentication Center 


AM 


Administrative Module 


BSC 


Base Station Controller 


BSS 


Base Station System 


BSSAP 


Base Station System Application Part 


BSSOMAP 


BSS Operation Maintenance and Administration Part 


BSSMAP 


Base Station System Management Application Part 


BTS 


Base Transceiver Station 


CM 


Communications Module 


DPI 


Digital Facility Interface 


DTAP 


Direct Transfer Application Part 


EIR 


Equipment Identity Register 


GSM 


Global Systems for Mobile Communications 


ISDN 


Integrated Services Digital Network 


ISO 


International Standards Organization 


HLR 


Home Location Register 


IMEI 


International Mobile Equipment Identification 


IMSI 


International Mobile Subscriber Identification 


IS UP 


ISDN User Part 


LAI 


Location Area Identifier 


OMC 


Operations and Maintenance Center 


MAP 


Mobile Application Part 


MS 


Mobile Station (personal communication station) 


MSC 


Mobile Switching Center 


MTP 


Message Transport Part 


PH 


Protocol Handler 


PSTN 


Public Sv^tched Telephone Network 


PSTN GSM 


PSTN Global Switch Module 


PSU 


Packet Switching Unit 


RAND 


Random Number 
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SCCP 
SIM 



Signaling Connection Control Part 

Subscriber Identity Module 

Switching Module 

Special Mobile Group 

Switching Module Processor 

Signed Response 

Signaling System 7 

Transaction Capabilities 

Transaction Capabilities Application Part 

Temporary Mobile Subscriber Identification 

Time Slot Interchange Unit 

Telephone User Part 

Wireless Global Switching Module 

Wireless Switch Module 

Visitor Location Register 



SM 



SMG 



SMP 

SRES 

SS7 



TC 



TCAP 



TMSI 
TSIU 



TUP 



WGSM 
WSM 



VLR 



Claims 



1. 

30 
35 
40 

2. 

45 3. 

4, 

50 5_ 
6. 

55 

7. 



In a cellular mobile telecommunications switching system, a method of signaling from any base station 
system to any of a plurality of control processors of said switching system assisting in the control of a wire- 
less service for a mobile subscriber comprising the steps of: 

transmitting signaling messages having a common reference number for control of said service for 
said subscriber from said base station system (BSS) over a physical circuit connection to a signal switching 
means for performing protocol handling and data switching for said messages; 

within said signal switching means, maintaining state information for controlling the protocol of a 
plurality of virtual circuit connections, having a common reference number, between the BSS and the sig- 
nal switching means; and 

transmitting messages received in said signal switching means over one of a plurality of second 
physical circuit connections therefrom to one of said control processors of said switching system for as- 
sisting in the control of a wireless service. 

The method of claim 1 wherein said the second transmitting step comprises: 

transmitting said messages through a switchable circuit connection of a voice/data communica- 
tions switching network of said mobile telecommunications switching system. 

The method of claim 1 wherein said signal switching means perform a translation to determine which of 
said control processors should receive a message. 

The method of claim 3 wherein said translation is performed to determine which of said control processors 
comprises a data base to which said message is to be transmitted. 

The method of claim 3 wherein said translation comprises translating message data to determine which 
call control processor should receive said message. 

The method of claim 3 wherein said translation comprises translating an identification number to deter- 
mine which control processor should receive said message. 

The method of claim 6 wherein said translation comprises translating a Temporary Mobile Subscriber Iden- 
tification (TMSI) to determine which control processor should receive said message, while maintaining 
randomness of the TMSI required by standards. 
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8. The method of claim 7 wherein said translation comprises translation of a subf ield of said TMSI for iden- 
tifying said control processor. 

9. The method of claim 3 wherein said translation comprises translating an International Mobile Subscriber 
Identification (IMSI) to determine which control processor should receive said message. 
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